Having trouble getting Traffic Shaping to work
-
Hi. I am new to pfSense and dummynet. I have spent the past two days trying to get a limiter working and I am at a point where I need to ask for help.
I am trying to simulate a "bad" WAN, to diagnose problems with a socket application.
I am running pfSense 2.0.1 in a vanilla router/firewall configuration. Basic routing is working fine. The LAN side is 192.168.2/24, the WAN side is 192.168.0/24.
I created a pair of limiters like this:
Name: WANin (and WANout, otherwise identical)
Enabled
Delay: 2ms
Packet loss rate: .1 (just for testing)
Queue size: I have tried blank and 10I then created a single Rule for the WAN interface:
Action: Pass
Interface: WAN
Protocol: any (I have also tried TCP/UDP)
Source, Destination: defaults - "not", type any, no address
In/Out: in=WANin, out=WANoutThe rule is enabled, and not floating.
I have not created any queues or schedules (do I need to?).
From a PC on the LAN side, I ping a system on the WAN side -
all responses < 1ms
my delay of 2ms and my 10% packet loss are not having any effect.Again from a PC on the LAN side, I scp a 1MB file to a system on the WAN side:
ifconfig after the transfer shows no dropped packetsObviously I am doing something wrong. Can any one tell me what?
Following is the output of "ipfw" commands.
ipfw pipe show
00001: unlimited 0 ms burst 0
q131073 50 sl.plr 0.100000 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
sched 65537 type FIFO flags 0x0 0 buckets 1 active
0 ip 0.0.0.0/0 0.0.0.0/0 1 68 0 0 0
00002: unlimited 0 ms burst 0
q131074 50 sl.plr 0.100000 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
sched 65538 type FIFO flags 0x0 0 buckets 0 activeipfw queue show
(empty)
ipfw sched show
00001: unlimited 0 ms burst 0
sched 1 type WF2Q+ flags 0x0 0 buckets 0 active
00002: unlimited 0 ms burst 0
sched 2 type WF2Q+ flags 0x0 0 buckets 0 activeI have tried to force the ipfw rules to reflect what I want:
ipfw pipe 1 config delay 20 plr 0.1
ipfw pipe 2 config delay 20 plr 0.1
ipfw pipe show:00001: unlimited 2 ms burst 0
q131073 50 sl.plr 0.100000 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
sched 65537 type FIFO flags 0x0 0 buckets 0 active
0 ip 0.0.0.0/0 0.0.0.0/0 1 68 0 0 0
00002: unlimited 2 ms burst 0
q131074 50 sl.plr 0.100000 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
sched 65538 type FIFO flags 0x0 0 buckets 0 activeBut the test results are the same: no delay, no dropped packets.
I am thoroughly stuck, I would be very grateful for any help.
-
I don't know whether my post was too long, or the problem was too difficult… or too easy. But so far no responses.
Guys, girls, I am VERY stuck and I could really use some help.
I have tried a completely different approach but I am still equally stuck. Here is what I did.
I re-installed pfsense so this is a clean installation. Then I created my firewall rules from the command line:
kldload dummynet
kldload ipfw
ipfw add pipe 1 ip from any to any
ipfw pipe 1 config bw 1k plr 0.10
ipfw add pipe 2 icmp from any to any
ipfw pipe 2 config bw 1k plr 0.10ipfw pipe show
00001: 1.000 Kbit/s 0 ms burst 0
q131073 50 sl.plr 0.100000 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
sched 65537 type FIFO flags 0x0 0 buckets 0 active
00002: 1.000 Kbit/s 0 ms burst 0
q131074 50 sl.plr 0.100000 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
sched 65538 type FIFO flags 0x0 0 buckets 0 activeIf I understand things correctly (and I have read the ipfw man page several times), all of traffic through the pfsense router should be limited to 1K and it should drop 10% of the packets (probably on the way in AND on the way out).
I pinged 100 times through the router, from LAN to WAN. NO ERRORS.
I scp'd an 800K through the router, LAN to WAN.
Then:ipfw show
00100 0 0 pipe 1 ip from any to any
00200 0 0 pipe 2 icmp from any to any
65535 0 0 allow ip from any to anyDon't those counters indicate the traffic is not hitting my rules?
How can that be?
What simple thing am I missing? -
Hi Lee
I too have had similar issues with getting the traffic shaping to behave the way I would expect and have not been able to get anywhere using the available TIDs. Did you make any progress with this?
Thanks
Steve
-
I then created a single Rule for the WAN interface:
Action: Pass
Interface: WAN
Protocol: any (I have also tried TCP/UDP)
Source, Destination: defaults - "not", type any, no address
In/Out: in=WANin, out=WANout"Not" "Any" means the rule does not match any traffic. It will not direct traffic through the queues defined.
What you need is a rule that catches everything, meaning you uncheck "Not".
Secondly, check the direction of the rule. It matches traffic based on whether it is leaving the WAN or entering the WAN port.